Skip to content

Kubernetes quick start

This page is for people who are familiar with Kubernetes in general, and want to start using it as quickly as possible.

Danger

Kubernetes SIG Network and the Security Response Committee have announced the upcoming retirement of Ingress NGINX, the Ingress controller currently used in our Kubernetes infrastructure. Best-effort maintenance will continue until March 2026. We will evaluate alternative solutions and keep you informed about the migration timeline.

More information about the retirement.

Requesting access

To use the managed Kubernetes service, you need to request a namespace. Choose the method that matches your portal affiliation:

If you are a member of the minu.etais.ee portal, you can order the resource directly.

  1. Login to minu.etais.ee.
  2. Navigate to Marketplace -> Platform -> Kubernetes Namespace.
  3. Click Add resource.
  4. Select the organization and project you want the namespace to be created in.
  5. Specify the preferred name for the namespace (we cannot guarantee that the name will be accepted as-is).
  6. Optionally specify the hostname / website URL you want to use with the namespace.
  7. Optionally specify whether you need a GitLab service account to be created.
  8. Specify any additional requests you might have.
  9. Set a name for the resource and add a description.
  10. Click Create.

Info

You will receive an email when the namespace is ready or if we have any additional questions.

If you are a member of the minu.riigipilv.ee portal, you can order the resource directly.

  1. Login to minu.riigipilv.ee.
  2. Navigate to Marketplace -> Platform -> Kubernetes Namespace.
  3. Click Add resource.
  4. Select the organization and project you want the namespace to be created in.
  5. Specify the preferred name for the namespace (we cannot guarantee that the name will be accepted as-is).
  6. Optionally specify the hostname / website URL you want to use with the namespace.
  7. Optionally specify whether you need a GitLab service account to be created.
  8. Specify any additional requests you might have.
  9. Set a name for the resource and add a description.
  10. Click Create.

Info

You will receive an email when the namespace is ready or if we have any additional questions.

Submit a Kubernetes request on the UTHPC website. Alternatively, you can email your request to support@hpc.ut.ee .

Info

You will receive an email when the namespace is ready or if we have any additional questions.

Policies set access at the tenant/namespace level. This means that you get a namespace with access to that specific namespace, mostly with administrator permissions.

Using access

UTHPC uses a kubeconfig file to permit access to Kubernetes. The certificate and token are embedded inside the kubeconfig file. This means you need to have kubectl installed.

Kubernetes allows access via the MyAccessID authentication system. This is the easiest way to obtain access to the cluster, as everyone shares the same KUBECONFIG file.

You should still write to support@hpc.ut.ee to get the necessary permissions, as by default a user has no permissions inside the cluster.

Authenticating requires completing three steps:

  1. Install the kubelogin kubectl plugin. This is required to authenticate with MyAccessID.
  2. Add the shared KUBECONFIG file to your local computer (see below). If you place it at ~/.kube/config, it is automatically used for all kubectl commands.
  3. The first kubectl command you run will open a browser window where you can log in with your institution's credentials. Upon success, you'll have access to the cluster.

Use this configuration if you requested access via the ETAIS portal or via a manual request. Authentication is handled through the ETAIS Keycloak realm.

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01Ea3hOVEV3TlRFek1Gb1hEVE13TURreE16RXdOVEV6TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTkt5CnBtNy9BVmFPQStnT1BEQzBtekZ6d0pzRUw3ZkRMN0taR3R1Y3RycUJIR3JaL0MyZ2pJbEpwN2pCZ0FDU0E2eW4KNEhqNXk0UTdTN0s0R0JhbGNya3QrV2duMkwyckxKK0NUYXhiYmh4alczRDR6dEdtanhJTUFSeXRUV2xDL1ZtVAphTUtCZ3pmTFY5LzBPNUxtM1J4cEFMbm9MN1dUS3lyTmxGR29aSWUxbTVjK0JyenZmZjRKa2dmYWVucEw3Uk5CCjM5TDRvQ3NVdFNXeDZUVGNSN25JTHRiUXZZV0doYnE2UHRzS3BDcmxzMXlSazJDS1QwQUI5akFKMHhzakxkckgKZVZEOFROUFl1aEhBRVhLSVZUenVNUm92Q29DZVVnK002Nk9MNHpJem81aFZadFJJRWtkNi9wSTI1NmpsNVFDMQpJZW5KTDFpK2VwazJvQWpac1RNQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNRTRpQldSS0ptRTFaZEFJOTZGbXYzdWdSdkZNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFERXdBem0zd1BIcDcwcFhObHdzNmhTV2ZIRWQ1b1prOWlTSzFMTVhFNm4vZHBCQkhiagpMOUVyVlBnWXlpeFFzZFIwZEtKUEZYQlh5dDlERllPVzJqTzRRMUFBVks1U3RTMjk5K3lZUDBIS1ZrZU5STE40Cm1wbDE0Zy9xNW1mR05pRlIzVm93cmFoR3ZQc1R6bVhScTNMd1pHbFZFSXNRR2w5elhYaVZoV29FTllVN2JTa1IKM0FxS0dQc2VDTmRmTTE3TzVZTno0cUw4VDA1Q21zZ1V3dlUrSU5CdFFIcmxXQVhQN2wyR3h5NzBDdmlxUXh2Qgp2d3NaVkpkcXdJMEg0c3ZWNW5FbElLM2dGY2hsTWoxS2k2RTJORGJNRmY4aWNQc2kxTFo1dllHUnVDVEN2QmgrCnd4eVQwekxRd1A4STBiNWZ5V1V3WnBzMmErcVR3V2xxRVpjdgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://kubernetes.hpc.ut.ee:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: etais-user
  name: etais-user@kubernetes
current-context: etais-user@kubernetes
kind: Config
preferences: {}
users:
- name: etais-user
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://keycloak.hpc.ut.ee/realms/ETAIS
      - --oidc-client-id=kubernetes.hpc.ut.ee
      - --oidc-pkce-method=auto
      command: kubectl
      env: null
      provideClusterInfo: false

Use this configuration if you requested access via the Riigipilv portal. Authentication is handled through the TARA Keycloak realm using PKCE.

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01Ea3hOVEV3TlRFek1Gb1hEVE13TURreE16RXdOVEV6TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTkt5CnBtNy9BVmFPQStnT1BEQzBtekZ6d0pzRUw3ZkRMN0taR3R1Y3RycUJIR3JaL0MyZ2pJbEpwN2pCZ0FDU0E2eW4KNEhqNXk0UTdTN0s0R0JhbGNya3QrV2duMkwyckxKK0NUYXhiYmh4alczRDR6dEdtanhJTUFSeXRUV2xDL1ZtVAphTUtCZ3pmTFY5LzBPNUxtM1J4cEFMbm9MN1dUS3lyTmxGR29aSWUxbTVjK0JyenZmZjRKa2dmYWVucEw3Uk5CCjM5TDRvQ3NVdFNXeDZUVGNSN25JTHRiUXZZV0doYnE2UHRzS3BDcmxzMXlSazJDS1QwQUI5akFKMHhzakxkckgKZVZEOFROUFl1aEhBRVhLSVZUenVNUm92Q29DZVVnK002Nk9MNHpJem81aFZadFJJRWtkNi9wSTI1NmpsNVFDMQpJZW5KTDFpK2VwazJvQWpac1RNQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNRTRpQldSS0ptRTFaZEFJOTZGbXYzdWdSdkZNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFERXdBem0zd1BIcDcwcFhObHdzNmhTV2ZIRWQ1b1prOWlTSzFMTVhFNm4vZHBCQkhiagpMOUVyVlBnWXlpeFFzZFIwZEtKUEZYQlh5dDlERllPVzJqTzRRMUFBVks1U3RTMjk5K3lZUDBIS1ZrZU5STE40Cm1wbDE0Zy9xNW1mR05pRlIzVm93cmFoR3ZQc1R6bVhScTNMd1pHbFZFSXNRR2w5elhYaVZoV29FTllVN2JTa1IKM0FxS0dQc2VDTmRmTTE3TzVZTno0cUw4VDA1Q21zZ1V3dlUrSU5CdFFIcmxXQVhQN2wyR3h5NzBDdmlxUXh2Qgp2d3NaVkpkcXdJMEg0c3ZWNW5FbElLM2dGY2hsTWoxS2k2RTJORGJNRmY4aWNQc2kxTFo1dllHUnVDVEN2QmgrCnd4eVQwekxRd1A4STBiNWZ5V1V3WnBzMmErcVR3V2xxRVpjdgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: https://kubernetes.hpc.ut.ee:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: tara-user
  name: tara-user@kubernetes
current-context: tara-user@kubernetes
kind: Config
preferences: {}
users:
- name: tara-user
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - oidc-login
      - get-token
      - --oidc-issuer-url=https://keycloak.hpc.ut.ee/realms/TARA
      - --oidc-client-id=kubernetes.hpc.ut.ee
      - --oidc-pkce-method=S256
      command: kubectl
      env: null
      provideClusterInfo: false

Explore key concepts

For a deeper understanding of how to use the full potential of the Kubernetes environment, please explore the detailed concept guides. These guides provide explanations and examples into how the managed Kubernetes service is set up.

Available guides

  • Databases - Learn how to deploy and manage databases within the managed Kubernetes cluster.
  • Ingress - Discover how to set up and configure Ingress objects to manage external access to your applications.
  • Load Balancers - Understand the setup and usage of LoadBalancer service to manage external access to your applications.
  • Using storage - Learn how to keep data across Pod restarts, persistently.
  • GPU Usage - Explore how to utilize GPUs within the cluster for computing-intensive applications.
  • CI/CD Integration - Get insights into integrating continuous integration and continuous deployment pipelines with UTHPC Kubernetes infrastructure.

Each guide is designed to provide you with the knowledge needed to effectively use and manage the relevant Kubernetes resources. If you're missing some specific feature, feel free to ask HPC support. New operators and extra configurations can be added on request, if it does not negatively impact the cluster's security or usability.

Billing

[ALPHA]

Billing is still in [ALPHA] status, meaning it's not properly done. For now, Kubernetes billing works on agreement basis, but we are working towards implementing an understandable and transparent billing structure.